A 19-year-old identifying himself as a cybersecurity researcher claimed that the Central Board of Secondary Education’s on-screen marking (OSM) portal contains an encrypted ‘master password’ that can be used to bypass OTP verification, log into examiners’ accounts and even manipulate students’ marks.
The allegations were made by Nisarga Adhikary, who told Hindustan Times that he discovered the alleged vulnerability while examining the backend code of the OSM platform submitted this year for the Class 12 board exams.
However, CBSE denied that the actual assessment portal had been hacked, saying the vulnerabilities highlighted by the teenager were only related to an “exam website” containing sample data.
What is OSM class?
CBSE has introduced the On-Screen Marking System (OSM) for Class 12 board examinations from 2026, replacing the traditional manual assessment process with digitally scanned answer sheets that are checked online. According to the council, the system aims to eliminate total errors, reduce manual intervention and speed up the evaluation process.
However, the rollout soon came under criticism after students began reporting issues ranging from blurry scans and missing pages to alleged mismatches in answer sheets uploaded during the reassessment process.
The controversy escalated after Vedant Shrivastava, a student from Delhi, claimed that the physics answer sheet uploaded under his roll number was not his. His posts went viral on social media, prompting CBSE to later admit in an email reviewed by Hindustan Times that a technical issue led to an incorrect scanned copy being uploaded.
A “master password” is allegedly embedded in the code
According to Adhikari, the portal’s front-end JavaScript package allegedly contains a “literal password string” embedded directly in the code. He claimed that after studying the authentication flow, he realized that the password could bypass security checks and directly open the evaluation dashboard.
“I started by examining the logic of username, password and one-time passwords (OTP) and how they are handled. Upon examining that, I found a master password,” he told Hindustan Times. “After reading the code for a bit, I saw that the master password can bypass all security protocols and open the dashboard directly.”
The teenager claimed that using the examiner’s user ID and school code – information he described as publicly obtainable – the password could be used to access the examiner’s accounts without completing the OTP verification process.
“Marks can be tampered with”
Adhikary claimed that access was broad enough to allow changes to answer sheet assessments and examiner information.
“After that, you can use this password. You can make use of this password to log in to the account of any examiner. After logging in to this account, you can access the editing papers, examiner details, etc.”
He also claimed that he was able to access assessment dashboards and change information associated with examiners’ profiles.
“I can start evaluating the papers, changing their details, modifying the bank details and things in the portal,” he said.
When asked what a malicious actor could do with this access, Adhikari claimed that the flaw could likely have been used to tamper with tags and extract sensitive data.
He added: “He could have extracted data on a massive scale and sold it on the black market. He would have tampered with tags, changed people’s tags as he wanted.”
Other alleged vulnerabilities
In the interview, Adhikari also alleged flaws in the OTP system, password reset process and access controls within the portal.
“So anyone can enter anything junk in the old password and use anyone’s user ID and put in a new password to take control of their account, which is really insecure, in my opinion,” he said while describing the password reset mechanism.
It was also alleged that internal dashboards could be accessed without proper safeguards.
“And most of them, there are 40 disabling access control vulnerabilities that, like, you can access things that you shouldn’t have access to. You can view things that you shouldn’t, for example, be able to,” he said.
The teen said he reported the issues to the Indian Computer Emergency Response Team (CERT-In) in February and later shared additional technical details and screen recordings.
Read also- No need to tease ‘Class 12 result soon’, OSM, hacking class: CBSE chaos in May, clarifications
CBSE says only the ‘exam site’ is affected
CBSE has rejected allegations that its live assessment infrastructure has been hacked.
“At the outset, it was clarified that the portal used to evaluate the answer books had a different URL, which was not hacked and did not have the vulnerabilities pointed out in the said social media post. The URL: http://cbse.onmark.co.in is only the exam site with sample data for internal testing and review purposes,” the board said in a statement.
The board added that no security breach was identified in the OSM portal used for the actual assessment work, and said the system was implemented “with robust grievance redressal mechanisms built into it”.
Adhikary disputed CBSE’s assertion that the portal was merely a testing environment.
“Secondly, I had access to the production data. It is as if I hijacked the account of an examiner while taking the exam. This person is a real physics teacher in some school in India and is in the faculty directory on the school website.”
Between allegations of mismatched answer sheets, social media outrage over OSM glitches, and now questions over gate security, CBSE has come under increasing criticism over the risks of implementing large-scale technology reforms without adequate transparency and safeguards.
